[Vol-users] Volatility-Linux TypeError

Patrick Burkard pbuml at gmx.de
Thu Jan 26 04:28:25 CST 2012


in the last view weeks i've tried to analyze Linux memorydumps with the
volatility-linux Version (Revision 1313 from svn).

My goal is to show that it is possible to discover hidden processes,
kernelmodules etc. (for example from a rootkit) from a memory dump. By
comparing the output from the memorydump analysis with the native
execution of the system commands.

I created a profile for the current stable Debian version.
Trying to use this profile leads to the following TypeError:

python volatility.py --profile=LinuxDebian26325 -f ~/Desktop/LF32.ram
linux_task_list_ps Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid             Uid            
Traceback (most recent call last):
  File "volatility.py", line 129, in <module>
  File "volatility.py", line 120, in main
"/home/dark-eye/Sources/volatility_linux/volatility/commands.py", line
101, in execute func(outfd, data) File
line 59, in render_text for task in data: File
line 50, in calculate for task in
linux_common.walk_list_head("task_struct", "tasks", init_task.tasks,
self.addr_space): File
line 110, in walk_list_head yield obj.Object(struct_name, offset =
list_ptr - offset, vm = addr_space) TypeError: unsupported operand
type(s) for -: 'instancemethod' and 'int'

I would really appreciate to debug or help to debug this issue. Sadly I
can't find a way to evaluate the correctness of the kernel-profile. Is
this a known problem from volatility-linux or could it be the result of
a failure i've made while creating the debian profile?

Thanks for every hint!

More information about the Vol-users mailing list